Zero Trust has long been the standard for securing human access—but today’s enterprise environments demand a new extension: Zero Trust for AI. As AI agents begin making decisions, interacting with systems, and initiating actions, the traditional security perimeter must expand. The question is no longer if AI should be trusted, it’s how we enforce Zero Trust for AI systems from the start.
When “Safe by Design” Isn’t Safe Enough
There’s a growing belief that protocols like Model Context Protocol (MCP) offer a “safe” way to deploy AI agents—limiting what they can access or do. But MCP as the safe protocol is a false narrative. It limits the upside, but it doesn’t limit the downside.
Seemingly safe actions, like an agent querying millions of customer records using a read-only SQL statement, can overwhelm databases, lock up resources, and create vulnerabilities. All without breaking the rules. This isn’t a bug. It’s a byproduct of giving agents tools without strong oversight.
Zero Trust for Agents Starts With Nothing
That’s why it’s time to apply Zero Trust not just to users, but to AI agents. And not as a metaphor. As a framework: denying every action by default with human-assisted permissioning along the way.
This framework assumes every agent is untrusted at the start. Access is not just role-based, but use-case-based, tied to time, context, and intent. Need to read from a table? You get access to that table and nothing else. Need to take action? That action is scoped, logged, and monitored.
And just like today’s concerns around leaked API credentials, agent keys and model permissions must be governed with the same scrutiny we give to cloud workloads and privileged users.
Why This Shift Matters
As AI becomes more embedded across workflows, security can’t rely on legacy assumptions. Agents don’t forget. They don’t fatigue. And if misused, they don’t ask for forgiveness.
Zero Trust for agents means:
- Deny by default: Agents don’t start with access, they earn it
- Human-in-the-loop escalation: Sensitive permissions require explicit approvals
- Use-case scoping: Access is contextual, not universal
- Observability by design: Every request, response, and output is logged, analyzed, and auditable
This approach ensures that the speed at which AI operates doesn’t become a liability.
A New Security Layer for a New Era
This is where AI runtime security solutions come into play: creating dynamic guardrails around how AI agents interact with systems, data, and users in real time. Just like we once redefined network perimeters for the cloud, we now need to redefine behavioral perimeters for autonomous systems. The bottom line is that Zero Trust needs to grow up, because AI agents are here, they’re powerful, and they don’t come with good instincts. Security teams must build systems that assume every agent interaction could go wrong, and provide the oversight to make sure it doesn’t.
About the Author
Related Blog Posts
Securing the public sector against Shadow AI with F5 BIG-IP SSL Orchestrator
Learn how state, local, and education organizations can enhance visibility and security in encrypted network traffic while addressing compliance and governance.
F5 secures today’s modern and AI applications
The F5 Application Delivery and Security Platform (ADSP) combines security with flexibility to deliver and protect any app and API and now any AI model or agent anywhere. F5 ADSP provides robust WAAP protection to defend against application-level threats, while F5 AI Guardrails secures AI interactions by enforcing controls against model and agent specific risks.
Govern your AI present and anticipate your AI future
Learn from our field CISO, Chuck Herrin, how to prepare for the new challenge of securing AI models and agents.
New 7.0 release of F5 Distributed Cloud Services accelerates F5 ADSP adoption
Our recent 7.0 release is both a major step and strategic milestone in our journey to deliver the connectivity, security, and observability fabric that our customers need.
Stay ahead of API security risks with our latest F5 Distributed Cloud Services release
This release brings exciting, new API discovery options, expanded testing scenarios, and enhanced detection capabilities—all geared toward reducing API security risks while improving overall visibility and compliance.
F5 provides enhanced protections against React vulnerabilities
Developers and organizations using React in their applications should immediately evaluate their systems as exploitation of this vulnerability could lead to compromise of affected systems.